Systems and methods are provided for detecting an anomalous condition in a virtual computing environment having a virtualization control system coupled to a physical server, disk drive, and networking resources, where the virtualization control system is configured to partition the physical resources into virtual resources including virtual processor, memory, and storage resources for a plurality of virtual servers. Contents of a plurality of virtual memory storage locations are determined, where the virtual memory storage locations span multiple virtual servers. A runtime state of the virtual environment is determined based on the contents of the virtual memory storage locations. The runtime state of the virtual environment is verified for correctness or compared with a baseline state to identify a deviation from the baseline state, and a corrective action is performed when the discrepancy meets a predetermined criteria.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method of detecting an anomalous condition in a virtual computing environment having a virtualization control system coupled to a physical server, disk drive, and networking resources, wherein the virtualization control system is configured to partition the physical resources into virtual resources including virtual processor, memory, and storage resources for a plurality of virtual servers, comprising: determining contents of a plurality of virtual memory storage locations, wherein the virtual memory storage locations span multiple virtual servers, wherein the contents of the virtual memory storage locations are accessed using operating system profiles, where an operating system profile is selected to determine contents of a particular memory storage location based upon an operating system of a virtual server associated with the particular memory storage location; determining a runtime state of the virtual environment based on the contents of the virtual memory storage locations; comparing the runtime state of the virtual environment with a baseline state to identify a deviation from the baseline state; and performing a corrective action when the deviation meets a predetermined criteria.
2. The method of claim 1 , wherein the corrective action includes removing an unauthorized portion of code from the virtual environment.
3. The method of claim 1 , wherein the deviation affects multiple virtual servers.
4. The method of claim 3 , wherein the deviation that affects multiple virtual servers is identified using a single comparison of the runtime state with the baseline state.
5. The method of claim 3 , wherein the deviation is caused by an infiltration that spread across the multiple virtual servers via physical memory hardware that is shared across the multiple virtual servers.
6. The method of claim 1 , wherein the method is performed using a single application using no additional applications deployed on individual virtual servers.
7. The method of claim 1 , wherein the deviation is identified based on a detection of an operating system data structure deviating from a trusted state.
8. The method of claim 1 , wherein the deviation is identified based on a change in a relationship between two data structures.
9. The method of claim 1 , wherein the determining the contents of virtual memory storage locations includes polling virtual memory storage locations across the plurality of virtual servers.
10. The method of claim 1 , wherein the comparing includes determining whether critical components of an operating system have been modified.
11. The method of claim 1 , wherein the deviation is identified based on the comparison without consideration of any malware signatures.
12. The method of claim 1 , further comprising determining contents of virtual non-volatile storage locations that span multiple virtual servers, wherein the determining the runtime state of the virtual environment is further based on the contents of the non-volatile storage locations.
13. The method of claim 1 , wherein the contents of the virtual memory storage location are accessed using operating system profiles, where an operating system profile is selected to determine contents of a particular memory storage location based upon an operating system of a virtual server associated with the particular memory storage location.
14. The method of claim 1 , wherein fees are charged for virtual server usage of virtual processor and memory, wherein the method is performed without usage of virtual processor associated with any of the plurality of virtual servers.
15. The method of claim 1 , the deviation is based on a modification of operating system data structures, a modification of application data structures, anomalous memory allocations, a manipulation of relationships among data structures, an incorporation of foreign or un-trusted capabilities or code, or a violation of compliance or organizational policies.
16. The method of claim 1 , wherein the corrective action includes providing a notification of the deviation and providing a virtual appliance configured to support an incident investigation and response.
17. The method of claim 16 , wherein the virtual appliance includes an integrity meter display, wherein the integrity meter display is updated based on the identification of the deviation.
18. The method of claim 16 , wherein the virtual appliance includes a component age display that depicts dates of implementation or modification associated with components of the virtual computing environment.
19. The method of claim 1 , wherein the runtime state is represented using a first tree structure, wherein the baseline state is represented using a second tree structure, and the runtime state is compared with the baseline state by comparing the tree structures.
20. The method of claim 1 , wherein the deviation is identified based on an unauthorized data record being incorporated into a linked list.
21. The method of claim 1 , wherein the corrective action includes providing a notification of the deviation.
22. A non-transitory computer-readable storage medium encoded with instructions for commanding one or more data processors to execute a method of detecting an anomalous condition in a virtual computing environment having a virtualization control system coupled to a physical server, disk drive, and networking resources, wherein the virtualization control system is configured to partition the physical resources into virtual resources including virtual processor, memory, and storage resources for a plurality of virtual servers, the method comprising: determining contents of a plurality of virtual memory storage locations, wherein the virtual memory storage locations span multiple virtual servers, wherein the contents of the virtual memory storage locations are accessed using operating system profiles, where an operating system profile is selected to determine contents of a particular memory storage location based upon an operating system of a virtual server associated with the particular memory storage location; determining a runtime state of the virtual environment based on the contents of the virtual memory storage locations; comparing the runtime state of the virtual environment with a baseline state to identify a deviation from the baseline state; and performing a corrective action when the deviation meets a predetermined criteria.
23. A computer-implemented system for detecting an anomalous condition in a virtual computing environment, comprising: a plurality of physical servers that include physical resources, wherein the physical resources include physical memory, physical storage, and physical processor resources; a virtualization control system coupled to the physical servers, wherein the virtualization control system is configured to partition the physical resources into virtual resources including virtual processor, memory, and storage resources for a plurality of virtual servers; and an environment validation engine configured to: determine contents of a plurality of virtual memory storage locations, wherein the virtual memory storage locations span multiple virtual servers, wherein the contents of the virtual memory storage location are accessed using operating system profiles, where an operating system profile is selected to determine contents of a particular memory storage location based upon an operating system of a virtual server associated with the particular memory storage location; determine a runtime state of the virtual environment based on the contents of the virtual memory storage locations; compare the runtime state of the virtual environment with a baseline state to identify a deviation from the baseline state; and perform a corrective action when the deviation meets a predetermined criteria.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
December 9, 2011
July 26, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.